{"id":402,"date":"2007-06-23T07:49:44","date_gmt":"2007-06-23T06:49:44","guid":{"rendered":"http:\/\/wp.devco.net\/?p=402"},"modified":"2010-12-05T18:27:36","modified_gmt":"2010-12-05T17:27:36","slug":"ipsec_on_redhat_enterprise","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2007\/06\/23\/ipsec_on_redhat_enterprise.php","title":{"rendered":"IPSEC On RedHat Enterprise"},"content":{"rendered":"
I’ve had the miss-fortune of configuring IPSEC on many FreeBSD machines and other devices in the past and in all cases it’s been a pain, as a result I’ve been putting off securing connections between 3 machines that I knew needed IPSEC. <\/code> <\/code> I’ve had the miss-fortune of configuring IPSEC on many FreeBSD machines and other devices in the past and in all cases it’s been a pain, as a result I’ve been putting off securing connections between 3 machines that I knew needed IPSEC. Last night I figured I may as well start looking at what is […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/402"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=402"}],"version-history":[{"count":2,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/402\/revisions"}],"predecessor-version":[{"id":1870,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/402\/revisions\/1870"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nLast night I figured I may as well start looking at what is involved in building a star topology between the three hosts where comms between each node and each other node is encrypted. Turns out it could not possibly have been simpler.
\nThis is well documented in the RedHat docs – RHEL 3<\/a>, RHEL 4<\/a>, RHEL 5<\/a> – but it’s worth repeating because it really is clean and simple and elegant.
\nBeing that these are point-to-point tunnels it makes a lot of sense to see the connections as new network cards and this is the approach redhat took, simply create \/etc\/sysconfig\/network-scripts\/ifcfg-ipsecX<\/i> files where X<\/i> is any number. This is a sample:
\n<\/p>\n
\r\nDST=x.x.x.x\r\nTYPE=IPSEC\r\nONBOOT=yes\r\nIKE_METHOD=PSK\r\n<\/pre>\n
\nAnd do the same on your other host. Now create a pre-shared key in \/etc\/sysconfig\/network-scripts\/keys-ipsecX<\/i> with file mode 600:
\n<\/p>\n
\r\nIKE_PSK=s3cret\r\n<\/pre>\n
\nThis key has to be the same on both hosts, run ifup ipsecX<\/i> and it should negotiate, check \/var\/log\/messages<\/i> for diagnostics.
\nIt is that easy, you can use tcpdump to verify that all is working good.
\nUnder the covers the redhat scripts still use racoon and all the standard stuff, it creates files in \/etc\/racoon<\/i> and you can use tools such as setkey<\/i> etc to diagnose problems.
\nThis is a simple p2p VPN, the RedHat docs shows how to do it on your gateway device – it’s as simple.<\/p>\n","protected":false},"excerpt":{"rendered":"